Security & Jericho Forums

Objective of Meeting

To complete the objectives listed in the meeting agenda, including the public Plenaries and Security Tracks, as well as the Thursday member meetings.

Summary

Plenary and Conference Tracks

The presentations in the Plenary and Vertical Industry Conference Tracks are available here to members and attendees to this meeting.

Security coverage in the Plenary included Healthcare in the Tuesday Plenary, and in the Tuesday and Wednesday Tracks:

Government | Defense: Platform 3.0/Security

Healthcare

Risk Management

Member Meeting Sessions

Introduction

Members introduced themselves, and reviewed and approved the posted agenda.

Review of Board Report

Members reviewed the slide presentation that was presented to the Governing Board later that day. In particular, the two new member attendees in the meeting found this overview of the Security Forum and the Jericho Forum a useful informative introduction to the range of our project activities and deliverables.

Identity Management

Ian Dobson gave a brief overview presentation (available to members and non-member attendees only) on progress on the Identity Ecosystem Steering Group (IDESG) and US National Strategy for Trusted Identities in Cyberspace (NSTIC), including the NSTIC and IDESG objectives, how they are approaching those objectives, their progress to date, how our representations from the Security Forum and particularly the Jericho Forum (Jericho Identity Commandments, videos, and Key Concepts guide, use-cases) have been handled, and our plans for contributing further representations to influence the direction of development work towards a trusted identity ecosystem. This included noting how the US Government funding for IDESG free membership is expected to run out by the end of 2013 – six months earlier than planned – and their current focus on seeking to demonstrate value-add sufficient to persuade existing members to begin paying for membership.

We also noted the five NSTIC Pilot projects which NSTIC has funded with a total of $14million, and which are due to complete their work and deliver their results by mid-2014.

Security Automation Framework

Steve Whitlock, Boeing, gave a presentation (available to members and non-member attendees only) on his vision for developing a high-level architecture framework for Security Automation. It would involve the IETF developing the protocols and the Security Forum creating the high-level architecture. He confirmed that the IETF has approved setting up a SACM (Security Automation & Content Management) Work Group, though the SACM charter limits their work at this time to addressing the protocols needed to interconnect the functional components in an envisioned 4-phase cycle. Support for the IETF activity requires active attendance as participants in the IETF SACM WG. In his presentation, Steve explained the key functional components in the 4-phase model. These include ACEML and the NIST Security Content Automation Protocol (SCAP) for configuration, DASv2 for Event Management and alerts, the Authorization Framework from the Cloud Computing Security Work Group, and standards work at IETF (MILE, NEA) and on Machine Health (TCG).

Discussion concluded that the Security Forum could advance the vision for this project by developing a White Paper setting out the high-level Architecture Framework. He noted that NIST has developed a draft architecture – CAESAR-FE – which has similarities to the high-level architecture he envisions, and this is in the public domain so we could use that as guidance.

Action: Three members of the Security Forum volunteered to develop a White Paper outlining a Security Automation high-level architecture, based on Steve's slide presentation and taking into consideration the NIST CAESAR-FE paper.

Secure Mobile Architecture

Members reviewed the current work to upgrade the published SMA Snapshot to become an Open Group Standard. This review included assessment of how we are developing a traceability matrix to validate conformance to requirements stated in the SMA specification. This work will provide a sound basis for developing a certification scheme of compliant implementations of the SMA Standard. A significant issue is defining mandatory (must) and recommended/ optional (should/may) requirements. In this regard members noted that The Open Group standard terminology includes many terms which are unnecessary for our purpose, and in fact introduce a measure of confusion. It was also noted that the IETF uses a well-established set of requirements definition terms published in IETF RFC 2119.

The SMA draft standard and traceability matrix are project members' working draft documents which are available to the SMA project members only. Interested members are welcome to contact The Open Group Director– Security Forum to become involved in this project.

Action: The SMA project leaders and team members will maintain progress on developing the SMA Standard.

Distributed Audit Services, Version 2

The project leader, David Corlette, gave a status update and future proposal review on the DASv2 project. The working paper is available to the project members only; interested members are welcome to contact The Open Group Director – Security Forum to become involved in this project.

Work on developing our base DASv2 specification has been held for 12 months pending completion of dependent work in the DMTF on developing CIM (Common Information Model) event objects in their CADF (Cloud Audit Data Federation) Work Group. After giving a brief overview of the background, current status, and proposal for how we are now ready to move forward with DASv2, members assessed best ways to revive active member engagement, and outlined an action plan to do so:

Reach out to engage appropriately expert/experienced people (2 months)

Wait for the DMTF to release its CADF standard (expected by mid-September)

Begin development of additional CIM objects that are not defined in the CADF standard but needed in DASv2, and integrate the required CIM objects into the existing base DASv2 draft specification (4 months)

Action: The agreed outline plan for developing the DASv2 project will be launched.

TNSP Workshop: Integrating Security into the TOGAF Standard

This project has already delivered its recommended Part 1 (Fundamentals) Security Architecture contribution to the Architecture Forum "next version of TOGAF team", and is now developing its Part 2 (Practitioner Guidance). Recent discussions in the TNSP project have highlighted that key to being able to develop the outline plans for Part 2 Sections 2-10 is establishing a substantive outline plan for the opening Section 1: "What is our Security Architecture Framework?". Therefore, in this meeting members focused on addressing this requirement. The Part 2 Section 1 team had already considered two SABSA papers contributed by John Sherwood (SABA Institute), one of which includes a Figure 2 that describes the kind of Security Architecture that the TNSP Section 1 development team recommends we adopt for our security practitioner guidance. These working papers are available to the TNSP project members only; interested members are welcome to contact The Open Group Director – Security Forum to become involved in this project.

The Section 1 development team explained how it provides the framework on which we can link to all the other Sections 2-10. The Figure 2 draft paper presents the framework using SABSA terminology, so this needs to be translated into TOGAF terminology. Members discussed a range of detailed observations about this Figure 2 to verify that it does provide the requirements they raised. In a second "Support" paper, John Sherwood explained how its tiered model diagram, upper 3 layers, address business requirements, while the lower layers address technology, the whole indicating how to map to the four domains of the TOGAF standard.

The outcome of extensive and searching discussion was agreement that we should adopt these diagrams and associated description as the basis for our TNSP Part 2 Security Practitioner Guidance Section 1, and title it "Trust Architecture Framework", which will provide the base architecture from which all our other TNSP Part 2 Sections 2-10 teams can link to develop their more detailed practitioner subject matter Outlines.

Action: A lead TNSP Part 2 Section 1 team member agreed to develop a first draft for Part 1 Section 1: "Trust Architecture Framework" by end July, including description on how we will use it as the basis for developing the other Sections 2-10 and how it maps tothe TOGAF domains and ADM.

Action: TNSP project members will review the TNSP Part 2 Section 1: "Trust Architecture Framework", and prepare their feedback on improving the draft, which will be finalized as an acceptable working draft in a conference call proposed in the first week of August.

Action: The Open Group Security Forum Director will arrange a TNSP members conference call during the first week in August for members to agree an acceptable working draft Part 2 Section 1 on which the TNSP Part 2 Sections 2-10 teams will base their development of outlines for Sections 2-10.

Outputs

As listed in the Summary section.

Next Steps

As indicated in the Summary section and related actions.

Links

As listed in the Summary section, or referenced via Security Forum project working draft documents available to project members only.